Vulnerability Description
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5
- https://www.vulncheck.com/advisories/phpmyfaq-insufficient-authorization-check-i
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5
FAQ
What is CVE-2026-45009?
CVE-2026-45009 is a vulnerability with a CVSS score of 4.3 (MEDIUM). phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status...
How severe is CVE-2026-45009?
CVE-2026-45009 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-45009?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.